I am asked for an upgrade OpenSSH version because of CVE-2023-38408, here is my process.:
yum groupinstall -y "Development Tools"
yum install -y zlib-devel openssl-devel wget
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
cd /tmp
wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz
tar -xzf openssh-9.3p2.tar.gz
cd openssh-9.3p2
yum install -y pam-devel libselinux-devel
./configure --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh
make && make install
It compiler ssh and sshd with 9.3p2 successfully in my os, so I got two versions of sshd:
- /usr/sbin/sshd OpenSSH_7.4p1
- /usr/local/sbin/sshd OpenSSH_9.3
next I shoud change /usr/lib/systemd/system/sshd.service execute path for the new version of sshd.
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
I switched /usr/sbin/sshd
to /usr/local/sbin/sshd
, and did systemctl daemon-reload
, service sshd restart
, but it didn’t work out, the message is:
Aug 25 07:37:57 localhost.localdomain systemd[1]: sshd.service start operation timed out. Terminating.
Aug 25 07:37:57 localhost.localdomain sshd[2276]: Received signal 15; terminating.
Aug 25 07:37:57 localhost.localdomain systemd[1]: Failed to start OpenSSH server daemon.
-- Subject: Unit sshd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sshd.service has failed.
--
-- The result is failed.
Aug 25 07:37:57 localhost.localdomain systemd[1]: Unit sshd.service entered failed state.
Aug 25 07:37:57 localhost.localdomain systemd[1]: sshd.service failed.
Aug 25 07:37:57 localhost.localdomain polkitd[365]: Unregistered Authentication Agent for unix-process:2259:84553 (system bus name :1.46, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_
Aug 25 07:38:39 localhost.localdomain systemd[1]: sshd.service holdoff time over, scheduling restart.
Aug 25 07:38:39 localhost.localdomain systemd[1]: Stopped OpenSSH server daemon.
-- Subject: Unit sshd.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sshd.service has finished shutting down.
Aug 25 07:38:39 localhost.localdomain systemd[1]: Starting OpenSSH server daemon...
-- Subject: Unit sshd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sshd.service has begun starting up.
Aug 25 07:38:39 localhost.localdomain sshd[2278]: Server listening on 0.0.0.0 port 22.
Aug 25 07:38:39 localhost.localdomain sshd[2278]: Server listening on :: port 22.
Have no idea that the problem is on the file or the service config.